RHEL 7 : rh-nodejs14-nodejs (RHSA-2022:7044)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7044 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

nodejs: weak randomness in WebCrypto keygen

A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...

Important: Red Hat Security Advisory: nodejs security update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

nodejs: DNS rebinding in --inspect via invalid IP addresses

A vulnerability was found in NodeJS, where the IsAllowedHost check can be easily bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided for instance, 10.0.2.555 is provided, browsers such as Firefox will make DNS requests ...

nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS, causing web cache poisoning, and conducting XSS attacks...

nodejs: HTTP request smuggling due to improper delimiting of header fields

A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling HRS. This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitra...

RHEL 8 : nodejs:14 (RHSA-2022:6985)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6985 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

ALSA-2022:6963 Important: nodejs security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16.17.1. Security Fixes: nodejs: weak randomness in WebCrypto keygen CVE-2022-35255...

Oracle Linux 8 : nodejs:16 (ELSA-2022-6964)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6964 advisory. - Resolves: CVE-2022-35255 CVE-2022-35256 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note...

RHEL 9 : nodejs (RHSA-2022:6963)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6963 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

AZL-44451 CVE-2022-3517 affecting package nodejs-nodemon 2.0.3-5

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service ReDoS when calling the braceExpand function with specific arguments, resulting in a Denial of Service...

nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a...

nodejs:16 security update

An update is available for nodejs-nodemon, nodejs, nodejs-packaging. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a software development platform f...

ALSA-2022:6964 Important: nodejs:16 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16. Security Fixes: nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodej...

Oracle Linux 9 : nodejs (ELSA-2022-6963)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6963 advisory. 16.17.1-1 - Rebase to version 16.17.1 Resolves: CVE-2022-35255 CVE-2022-35256 Tenable has extracted the preceding description block directly from the...

CentOS 8 : nodejs:16 (CESA-2022:6964)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2022:6964 advisory. - nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 - nodejs: HTTP Request Smuggling due to incorrect parsing of header fields CVE-2022-35256...

nodejs security update

16.17.1-1 - Rebase to version 16.17.1 Resolves: CVE-2022-35255 CVE-2022-35256...

RHEL 8 : nodejs:16 (RHSA-2022:6964)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6964 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

Robustel R1510 js_package install OS command injection vulnerability

Talos Vulnerability Report TALOS-2022-1577 Robustel R1510 jspackage install OS command injection vulnerability October 14, 2022 CVE Number CVE-2022-33150 SUMMARY An OS command injection vulnerability exists in the jspackage install functionality of Robustel R1510 3.1.16. A specially-crafted netwo...

Critical Photon OS Security Update - PHSA-2022-0262

Updates of 'nodejs' packages of Photon OS have been released...